From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>,
Kees Cook <keescook@chromium.org>,
kexec@lists.infradead.org,
linux kernel mailing list <linux-kernel@vger.kernel.org>,
horms@verge.net.au, "Eric W. Biederman" <ebiederm@xmission.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Matthew Garrett <mjg@redhat.com>, Dave Young <dyoung@redhat.com>,
Khalid Aziz <khalid@gonehiking.org>
Subject: Re: [RFC] Kdump with signed images
Date: Thu, 25 Oct 2012 01:43:59 -0400 [thread overview]
Message-ID: <1351143839.18115.57.camel@falcor> (raw)
In-Reply-To: <20121024171926.GD1821@redhat.com>
On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> > Matthew Garrett <mjg@redhat.com> writes:
> >
> > > On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
> > >
> > >> But what about creation of a new program which can call kexec_load()
> > >> and execute an unsigned kernel. Doesn't look like that will be
> > >> prevented using IMA.
Like the existing kernel modules, kexec_load() is not file descriptor
based. There isn't an LSM or IMA-appraisal hook here.
> > > Right. Trusting userspace would require a new system call that passes in
> > > a signature of the userspace binary, and the kernel would then have to
> > > verify the ELF object in memory in order to ensure that it
> > > matches the signature. Verifying that the copy on the filesystem is
> > > unmodified isn't adequate - an attacker could simply have paused the
> > > process and injected code.
I haven't looked at kexec_load() in detail, but like kernel modules, I
think the better solution would be to pass a file descriptor, especially
if you're discussing a new system call. (cc'ing Kees.)
> > Verifying the copy on the filesystem at exec time is perfectly adequate
> > for gating extra permissions. Certainly that is the model everywhere
> > else in the signed key chain.
> >
> > Where IMA falls short is there is no offline signing capability in IMA
> > itself. I think EVM may fix that.
I'm not sure what you mean by offline signing capability. IMA-appraisal
verifies a file's 'security.ima' xattr, which may contain a hash or a
digital signature. EVM protects a file's metadata, including
'security.ima'. 'security.evm' can be either an hmac or a digital
signature.
> [ CCing lkml. I think it is a good idea to open discussion to wider
> audience. Also CCing IMA/EVM folks ]
thanks!
> Based on reading following wiki page, looks like EVM also does not allow
> offline signing capability. And EVM is protecting IMA data to protect
> against offline attack. If we can assume that unisgned kernels can't be
> booted on the platform, then EVM might not be a strict requirement in
> this case.
> So as you said, one of the main problem with IMA use to verify /sbin/kexec
> is that IMA does not provide offline signing capability.
?
> >
> > > Realistically, the only solution here is for
> > > the kernel to verify that the kernel it's about to boot is signed and
> > > for it not to take any untrusted executable code from userspace.
From an IMA, as opposed to an IMA-appraisal, perspective, kexec is
problematic. IMA maintains a measurement list and extends a PCR with
the file hash. The measurement list and PCR value are used to attest to
the integrity of the running system. As the original measurement list
is lost after kexec, but the PCR value hasn't been reset, the
measuremnet list and PCR value won't agree.
> > Hogwash. The kernel verifing a signature of /sbin/kexec at exec time is
> > perfectly reasonable, and realistic. In fact finding a way to trust
> > small bits of userspace even if root is compromised seems a far superior
> > model to simply solving the signing problem for /sbin/kexec.
Huh? I don't understand what you're suggesting. Once root has been
compromised, that's it.
> > Although I do admit some part of the kexec process will need to verify
> > keys on the images we decide to boot.
Which keys? Isn't the kernel module key builtin to the kernel and
included in the kernel image signature?
> It should be an option, isn't it? Either /sbin/kexec can try to verify the
> integrity of kernel or we extend try to extend kexec() system call to also
> pass the signature of kernel and let kernel verify it (as you mentioned
> previously).
>
> Thanks
> Vivek
>
As suggested above, please consider passing a file descriptor, at least
in addition, if not in lieu of a signature.
thanks,
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2012-10-25 5:46 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-18 3:10 [PATCH v2] kdump: pass acpi_rsdp= to 2nd kernel for efi booting Dave Young
2012-10-18 14:56 ` Khalid Aziz
2012-10-18 19:11 ` Vivek Goyal
2012-10-18 19:22 ` Khalid Aziz
2012-10-18 19:38 ` [RFC] Kdump with UEFI secure boot (Re: [PATCH v2] kdump: pass acpi_rsdp= to 2nd kernel for efi booting) Vivek Goyal
2012-10-18 19:55 ` Matthew Garrett
2012-10-18 22:25 ` Eric W. Biederman
2012-10-19 2:06 ` Vivek Goyal
2012-10-19 3:36 ` Eric W. Biederman
2012-10-19 14:31 ` Vivek Goyal
2012-10-22 20:43 ` Vivek Goyal
2012-10-22 21:11 ` Eric W. Biederman
2012-10-23 2:04 ` Simon Horman
2012-10-23 13:24 ` Vivek Goyal
2012-10-23 16:26 ` [RFC] Kdump with signed images Eric W. Biederman
2012-10-23 17:39 ` Vivek Goyal
2012-10-23 19:11 ` Maxim Uvarov
2012-10-23 19:16 ` Vivek Goyal
2012-10-22 21:07 ` [RFC] Kdump with UEFI secure boot (Re: [PATCH v2] kdump: pass acpi_rsdp= to 2nd kernel for efi booting) Eric W. Biederman
2012-10-23 13:18 ` Vivek Goyal
2012-10-23 14:59 ` Vivek Goyal
2012-10-23 15:41 ` Matthew Garrett
2012-10-23 16:44 ` [RFC] Kdump with signed images Eric W. Biederman
2012-10-23 16:52 ` Matthew Garrett
2012-10-24 17:19 ` Vivek Goyal
2012-10-25 5:43 ` Mimi Zohar [this message]
2012-10-25 6:44 ` Kees Cook
2012-10-25 7:01 ` Mimi Zohar
2012-10-25 13:54 ` Vivek Goyal
2012-10-25 19:06 ` Mimi Zohar
2012-10-25 15:39 ` [RFC] Kdump with UEFI secure boot (Re: [PATCH v2] kdump: pass acpi_rsdp= to 2nd kernel for efi booting) Vivek Goyal
2012-10-23 16:19 ` Kdump with signed images Eric W. Biederman
2012-10-23 16:31 ` Matthew Garrett
2012-10-23 17:03 ` Eric W. Biederman
2012-10-23 17:09 ` Matthew Garrett
2012-10-24 17:36 ` Vivek Goyal
2012-10-25 6:10 ` Mimi Zohar
2012-10-25 14:10 ` Vivek Goyal
2012-10-25 18:40 ` Mimi Zohar
2012-10-25 18:55 ` Vivek Goyal
2012-10-26 1:15 ` Mimi Zohar
2012-10-26 2:39 ` Matthew Garrett
2012-10-26 3:30 ` Eric W. Biederman
2012-10-26 17:06 ` Vivek Goyal
2012-10-26 18:37 ` Mimi Zohar
2012-11-01 13:10 ` Vivek Goyal
2012-11-01 13:53 ` Vivek Goyal
2012-11-01 14:29 ` Mimi Zohar
2012-11-01 14:43 ` Vivek Goyal
2012-11-01 14:52 ` Matthew Garrett
2012-11-02 13:23 ` Vivek Goyal
2012-11-02 14:29 ` Balbir Singh
2012-11-02 14:36 ` Vivek Goyal
2012-11-03 3:02 ` Balbir Singh
2012-11-02 21:34 ` H. Peter Anvin
2012-11-02 21:32 ` Eric W. Biederman
2012-11-05 18:03 ` Vivek Goyal
2012-11-05 19:44 ` Eric W. Biederman
2012-11-05 20:42 ` Vivek Goyal
2012-11-05 23:01 ` H. Peter Anvin
2012-11-06 19:34 ` Vivek Goyal
2012-11-06 23:51 ` Eric W. Biederman
2012-11-08 19:40 ` Vivek Goyal
2012-11-08 19:45 ` Vivek Goyal
2012-11-08 21:03 ` Eric W. Biederman
2012-11-09 14:39 ` Vivek Goyal
2012-11-15 5:09 ` Eric W. Biederman
2012-11-15 12:56 ` Mimi Zohar
2012-11-08 20:46 ` Mimi Zohar
2012-11-01 14:51 ` Vivek Goyal
2012-11-01 14:57 ` Matthew Garrett
2012-11-01 15:10 ` Khalid Aziz
2012-11-01 16:23 ` Matthew Garrett
2012-11-02 16:57 ` Khalid Aziz
2012-10-26 17:59 ` Mimi Zohar
2012-10-26 18:19 ` Matthew Garrett
2012-10-26 18:25 ` Mimi Zohar
2012-10-23 15:51 ` [RFC] Kdump with UEFI secure boot (Re: [PATCH v2] kdump: pass acpi_rsdp= to 2nd kernel for efi booting) Eric W. Biederman
2012-10-23 17:18 ` Vivek Goyal
2012-10-19 17:53 ` Vivek Goyal
2012-10-22 21:15 ` Eric W. Biederman
2012-11-02 21:36 ` H. Peter Anvin
2012-11-05 18:11 ` Vivek Goyal
2012-11-05 19:54 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1351143839.18115.57.camel@falcor \
--to=zohar@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@intel.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=horms@verge.net.au \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=khalid@gonehiking.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg@redhat.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox